I am trying to build a website where a user can log in via Azure AD B2C. After logging in, I'm trying to present a secure area where the user can change their Azure B2C user attributes (first name, last name, etc) via the Microsoft Graph API. I am attempting to follow along with the Get a Token documentation Everything is working up to step #3, where a call gets made out to https://login.microsoftonline.com/common/oauth2/v2.0/token to obtain an access_token using the code I received on my return URL. Here's the general flow of what I am doing: End user clicks a login link on my localhost site that links out to my Azure B2C tenant policy. Link looks something like this: https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/v2.0/authorize ?client_id=[MyAppID] &response_type=code+id_token &redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex &response_mode=query &scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.write &state=[MyCustomState]&p=[MyCustomPolicy] User logs in and gets redirected to the redirect_uri . redirect_uri successfully recieves code , id_token , and state values. I take the code value from that and makes a POST https://login.microsoftonline.com/common/oauth2/v2.0/token request with the following body: POST https://login.microsoftonline.com/common/oauth2/v2.0/token HTTP/1.1 grant_type=authorization_code &code=[code] &client_secret=[application secret] &scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.readwrite &redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex The response code I receive back from that endpoint is the above error message. { "error": "invalid_grant", "error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID:6d7a8e32-bcbf-4fc4-a37a-87dae4781b00\r\nCorrelation ID:252912b7-5775-491a-968f-00ab03696dd9\r\nTimestamp: 2019-06-2722:11:18Z", "error_codes": [9002313], "timestamp": "2019-06-27 22:11:18Z", "trace_id": "6d7a8e32-bcbf-4fc4-a37a-87dae4781b00", "correlation_id": "252912b7-5775-491a-968f-00ab03696dd9" } Other StackOverflow posts mention verifying that the redirect_uri's have to match between the initial login and the subsequent access_token requests. They appear identical to me, but I am still receiving errors. Any ideas what could be going wrong?

azure-active-directorymicrosoft-graph-apiazure-ad-b2c

Reputation: 762

invalid_grant error when obtaining access token

I am trying to build a website where a user can log in via Azure AD B2C. After logging in, I'm trying to present a secure area where the user can change their Azure B2C user attributes (first name, last name, etc) via the Microsoft Graph API.

I am attempting to follow along with the Get a Token documentation

Everything is working up to step #3, where a call gets made out to https://login.microsoftonline.com/common/oauth2/v2.0/token to obtain an access_token using the code I received on my return URL.

Here's the general flow of what I am doing:

End user clicks a login link on my localhost site that links out to my Azure B2C tenant policy. Link looks something like this:

https://login.microsoftonline.com/mytenantname.onmicrosoft.com/oauth2/v2.0/authorize
?client_id=[MyAppID]
&response_type=code+id_token
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.write
&state=[MyCustomState]&p=[MyCustomPolicy]

User logs in and gets redirected to the redirect_uri.
redirect_uri successfully recieves code, id_token, and state values.
I take the code value from that and makes a POST https://login.microsoftonline.com/common/oauth2/v2.0/token request with the following body:

POST https://login.microsoftonline.com/common/oauth2/v2.0/token
HTTP/1.1

grant_type=authorization_code
&code=[code]
&client_secret=[application secret]
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.readwrite
&redirect_uri=http%3A%2F%2Flocalhost%3A17000%2Fprocessing%2Findex

The response code I receive back from that endpoint is the above error message.

{
  "error": "invalid_grant",
  "error_description": "AADSTS9002313: Invalid request. Request is malformed or invalid.\r\nTrace ID:6d7a8e32-bcbf-4fc4-a37a-87dae4781b00\r\nCorrelation ID:252912b7-5775-491a-968f-00ab03696dd9\r\nTimestamp: 2019-06-2722:11:18Z",
  "error_codes": [9002313],
  "timestamp": "2019-06-27 22:11:18Z",
  "trace_id": "6d7a8e32-bcbf-4fc4-a37a-87dae4781b00",
  "correlation_id": "252912b7-5775-491a-968f-00ab03696dd9"
}

Other StackOverflow posts mention verifying that the redirect_uri's have to match between the initial login and the subsequent access_token requests. They appear identical to me, but I am still receiving errors.

Any ideas what could be going wrong?

Upvotes: 10

Answers (2)

Assil

Reputation: 690

This is something you need to understand about OAuth on B2C before you are able to successfully request for a token. This error means that the requested scope (resource) can’t be accessed by you (login user) because of the lack of permissions. So, to fix that, you need to grant these required permissions to access that resource, by following these steps:

Define a new scope.
Grant Admin consent on that scope.
Request that scope when you request for a token.

In other words, in B2C-->App Registrations--> (Your App), shown in the image below, start with “Expose an API”, here you define a new scope of access, scope of resources or API, just a metadata that you know it represents some resources or API. Then you click on “API Permissions”, here you will add the scope you just created and grand admin access in needed. But al least you need to add permissions to your newly defined scope. The third and last step is when you hit: https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token Make sure to pass the scope that you added. (Use the scope that you added)

The details are explained in here but I can simplify it for you. configure b2c

So you need to go to your B2C

Upvotes: 4

Md Farid Uddin Kiron

Reputation: 22505

Seems you are trying to get access token using Authorization Code Grant V2.0

Your request doesn't match with Authorization Code Grant V2.0 format and you have encountered that error.

You should send token request for Authorization Code Grant V2.0 is like below:

Token Endpoint: `https://login.microsoftonline.com/common/oauth2/v2.0/token` 

client_id:b603c7be-_YourApp_ID-e6921e61f925 

scope:https://graph.microsoft.com/User.ReadWrite.All 

redirect_uri:https://www.getpostman.com/oauth2/callback 

grant_type:authorization_code 

client_secret:Vxf1SluKbgu4P_YourAppSecret_DSeZ8wL/Yp8ns4sc= 

code:OAQABAAIAAADCoMpjJXrxTq9VG9te-7FXrnBIp82sWR1nC

See Screen shot for details:

Upvotes: 1

invalid_grant error when obtaining access token

Answers (2)

Related Questions